DOD's open cyber recommendations date back to 2012
DOD's Office of Inspector General said in a report that the department has yet to implement nearly 500 cybersecurity recommendations. SAUL LOEB / Getty Images
The Defense Department's Office of Inspector General points out longstanding unmet requests in a report rounding up recent cybersecurity oversight.
The Department of Defense has open cybersecurity recommendations dating back more than 10 years, according to a report compiled by the agency's internal watchdog.
DOD's Office of Inspector General said in a recent report that the agency had 478 open cybersecurity-related recommendations from earlier oversight reports, with some dating to 2012.
The January 2023 report doesn't contain new recommendations, but does round up cybersecurity oversight going back to July 1, 2020, and identifies certain trends in cybersecurity oversight from OIG, the Government Accountability Office and other oversight organizations inside DOD.
One key observation relates to the nature of oversight itself. Oversight relating to the use of the National Institute of Standards and Technology cybersecurity framework skews strongly to just a few of the five pillars of NIST's framework: identify, protect, detect, response and recovery.
The identify function - which includes asset and identity management, along with the protect function which includes developing and implementing cyber defense strategies, were frequent topics in oversight reports. The respond and recover functions, covering resilience efforts, were not as regularly featured in oversight reports.
The report also stated that while DOD is making strides in improving its cybersecurity posture, much work remains to be done.
"Cybersecurity reports issued during the past two years demonstrate that the DOD continues to face significant challenges in managing cybersecurity risks to its systems and networks," the report states. Not surprisingly, the IG report suggests that implementing open recommendations is a key step to improving DOD cybersecurity.
"The longer it takes the DOD to implement corrective actions, the more likely it is that DOD cybersecurity vulnerabilities and threats could be exploited, causing security incidents that disrupt critical operations; leading to inappropriate access to and disclosure, modification or destruction of sensitive and classified information; and threatening national security," the report states.